flo at geekplace.eu
Thu Feb 23 14:36:39 UTC 2017
On 23.02.2017 15:19, Peter Waher wrote:
> Hello all.
> SHA-1 is used in many places throughout XMPP. Examples include
> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
> (XEP-0115), for instance. Concerning the recent report about
> vulnerabilities found in SHA-1, should there be an effort to upgrade all
> these to SHA-256 or later?
The examples you gave already come with built-in hash agility. For SCRAM
there is RFC 7677, and XEP-0115 has the 'hash' attribute.
But it may be sensible to change the mandatory hash algorithm of
XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
could also fix the existing flaws of XEP-0115 like , because this
would require a namespace bump anyway.
I'm curious if we have protocols without hash agility. Those would be
the ones who need the most attention.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 610 bytes
Desc: OpenPGP digital signature
More information about the Standards